2 * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003,2006,2007,2008 by the Massachusetts Institute of Technology,
3 * Cambridge, MA, USA. All Rights Reserved.
5 * This software is being provided to you, the LICENSEE, by the
6 * Massachusetts Institute of Technology (M.I.T.) under the following
7 * license. By obtaining, using and/or copying this software, you agree
8 * that you have read, understood, and will comply with these terms and
11 * Export of this software from the United States of America may
12 * require a specific license from the United States Government.
13 * It is the responsibility of any person or organization contemplating
14 * export to obtain such a license before exporting.
16 * WITHIN THAT CONSTRAINT, permission to use, copy, modify and distribute
17 * this software and its documentation for any purpose and without fee or
18 * royalty is hereby granted, provided that you agree to comply with the
19 * following copyright notice and statements, including the disclaimer, and
20 * that the same appear on ALL copies of the software and documentation,
21 * including modifications that you make for internal use or for
24 * THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO REPRESENTATIONS
25 * OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not
26 * limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF
27 * MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF
28 * THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY
29 * PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.
31 * The name of the Massachusetts Institute of Technology or M.I.T. may NOT
32 * be used in advertising or publicity pertaining to distribution of the
33 * software. Title to copyright in this software and any associated
34 * documentation shall at all times remain with M.I.T., and USER agrees to
37 * Furthermore if you modify this software you must label
38 * your software as modified software and not distribute it in such a
39 * fashion that it might be confused with the original M.I.T. software.
43 * Copyright (C) 1998 by the FundsXpress, INC.
45 * All rights reserved.
47 * Export of this software from the United States of America may require
48 * a specific license from the United States Government. It is the
49 * responsibility of any person or organization contemplating export to
50 * obtain such a license before exporting.
52 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
53 * distribute this software and its documentation for any purpose and
54 * without fee is hereby granted, provided that the above copyright
55 * notice appear in all copies and that both that copyright notice and
56 * this permission notice appear in supporting documentation, and that
57 * the name of FundsXpress. not be used in advertising or publicity pertaining
58 * to distribution of the software without specific, written prior
59 * permission. FundsXpress makes no representations about the suitability of
60 * this software for any purpose. It is provided "as is" without express
61 * or implied warranty.
63 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
64 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
65 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
69 * This prototype for k5-int.h (Krb5 internals include file)
70 * includes the user-visible definitions from krb5.h and then
71 * includes other definitions that are not user-visible but are
72 * required for compiling Kerberos internal routines.
74 * John Gilmore, Cygnus Support, Sat Jan 21 22:45:52 PST 1995
81 #error krb5.h included before k5-int.h
82 #endif /* KRB5_GENERAL__ */
86 #if defined(__MACH__) && defined(__APPLE__)
87 # include <TargetConditionals.h>
88 # if TARGET_RT_MAC_CFM
89 # error "Use KfM 4.0 SDK headers for CFM compilation."
100 * Machine-type definitions: PC Clone 386 running Microloss Windows
103 #if defined(_MSDOS) || defined(_WIN32)
106 /* Kerberos Windows initialization file */
107 #define KERBEROS_INI "kerberos.ini"
108 #define INI_FILES "Files"
109 #define INI_KRB_CCACHE "krb5cc" /* Location of the ccache */
110 #define INI_KRB5_CONF "krb5.ini" /* Location of krb5.conf file */
114 #include "autoconf.h"
116 #ifndef KRB5_SYSTYPES__
117 #define KRB5_SYSTYPES__
119 #ifdef HAVE_SYS_TYPES_H /* From autoconf.h */
120 #include <sys/types.h>
121 #else /* HAVE_SYS_TYPES_H */
122 typedef unsigned long u_long;
123 typedef unsigned int u_int;
124 typedef unsigned short u_short;
125 typedef unsigned char u_char;
126 #endif /* HAVE_SYS_TYPES_H */
127 #endif /* KRB5_SYSTYPES__ */
130 #include "k5-platform.h"
131 /* not used in krb5.h (yet) */
132 typedef UINT64_TYPE krb5_ui_8;
133 typedef INT64_TYPE krb5_int64;
136 #define DEFAULT_PWD_STRING1 "Enter password"
137 #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
139 #define KRB5_KDB_MAX_LIFE (60*60*24) /* one day */
140 #define KRB5_KDB_MAX_RLIFE (60*60*24*7) /* one week */
141 #define KRB5_KDB_EXPIRATION 2145830400 /* Thu Jan 1 00:00:00 2038 UTC */
144 * Windows requires a different api interface to each function. Here
145 * just define it as NULL.
147 #ifndef KRB5_CALLCONV
148 #define KRB5_CALLCONV
149 #define KRB5_CALLCONV_C
155 /* #define KRB5_OLD_CRYPTO is done in krb5.h */
157 #endif /* KRB5_CONFIG__ */
164 * After loading the configuration definitions, load the Kerberos definitions.
170 #include "port-sockets.h"
171 #include "socket-utils.h"
173 /* Get mutex support; currently used only for the replay cache. */
174 #include "k5-thread.h"
176 /* Get error info support. */
179 /* Error codes used in KRB_ERROR protocol messages.
180 Return values of library routines are based on a different error table
181 (which allows non-ambiguous error codes between subsystems) */
184 #define KDC_ERR_NONE 0 /* No error */
185 #define KDC_ERR_NAME_EXP 1 /* Client's entry in DB expired */
186 #define KDC_ERR_SERVICE_EXP 2 /* Server's entry in DB expired */
187 #define KDC_ERR_BAD_PVNO 3 /* Requested pvno not supported */
188 #define KDC_ERR_C_OLD_MAST_KVNO 4 /* C's key encrypted in old master */
189 #define KDC_ERR_S_OLD_MAST_KVNO 5 /* S's key encrypted in old master */
190 #define KDC_ERR_C_PRINCIPAL_UNKNOWN 6 /* Client not found in Kerberos DB */
191 #define KDC_ERR_S_PRINCIPAL_UNKNOWN 7 /* Server not found in Kerberos DB */
192 #define KDC_ERR_PRINCIPAL_NOT_UNIQUE 8 /* Multiple entries in Kerberos DB */
193 #define KDC_ERR_NULL_KEY 9 /* The C or S has a null key */
194 #define KDC_ERR_CANNOT_POSTDATE 10 /* Tkt ineligible for postdating */
195 #define KDC_ERR_NEVER_VALID 11 /* Requested starttime > endtime */
196 #define KDC_ERR_POLICY 12 /* KDC policy rejects request */
197 #define KDC_ERR_BADOPTION 13 /* KDC can't do requested opt. */
198 #define KDC_ERR_ENCTYPE_NOSUPP 14 /* No support for encryption type */
199 #define KDC_ERR_SUMTYPE_NOSUPP 15 /* No support for checksum type */
200 #define KDC_ERR_PADATA_TYPE_NOSUPP 16 /* No support for padata type */
201 #define KDC_ERR_TRTYPE_NOSUPP 17 /* No support for transited type */
202 #define KDC_ERR_CLIENT_REVOKED 18 /* C's creds have been revoked */
203 #define KDC_ERR_SERVICE_REVOKED 19 /* S's creds have been revoked */
204 #define KDC_ERR_TGT_REVOKED 20 /* TGT has been revoked */
205 #define KDC_ERR_CLIENT_NOTYET 21 /* C not yet valid */
206 #define KDC_ERR_SERVICE_NOTYET 22 /* S not yet valid */
207 #define KDC_ERR_KEY_EXP 23 /* Password has expired */
208 #define KDC_ERR_PREAUTH_FAILED 24 /* Preauthentication failed */
209 #define KDC_ERR_PREAUTH_REQUIRED 25 /* Additional preauthentication */
211 #define KDC_ERR_SERVER_NOMATCH 26 /* Requested server and */
212 /* ticket don't match*/
213 #define KDC_ERR_SVC_UNAVAILABLE 29 /* A service is not
215 * required to process the
217 /* Application errors */
218 #define KRB_AP_ERR_BAD_INTEGRITY 31 /* Decrypt integrity check failed */
219 #define KRB_AP_ERR_TKT_EXPIRED 32 /* Ticket expired */
220 #define KRB_AP_ERR_TKT_NYV 33 /* Ticket not yet valid */
221 #define KRB_AP_ERR_REPEAT 34 /* Request is a replay */
222 #define KRB_AP_ERR_NOT_US 35 /* The ticket isn't for us */
223 #define KRB_AP_ERR_BADMATCH 36 /* Ticket/authenticator don't match */
224 #define KRB_AP_ERR_SKEW 37 /* Clock skew too great */
225 #define KRB_AP_ERR_BADADDR 38 /* Incorrect net address */
226 #define KRB_AP_ERR_BADVERSION 39 /* Protocol version mismatch */
227 #define KRB_AP_ERR_MSG_TYPE 40 /* Invalid message type */
228 #define KRB_AP_ERR_MODIFIED 41 /* Message stream modified */
229 #define KRB_AP_ERR_BADORDER 42 /* Message out of order */
230 #define KRB_AP_ERR_BADKEYVER 44 /* Key version is not available */
231 #define KRB_AP_ERR_NOKEY 45 /* Service key not available */
232 #define KRB_AP_ERR_MUT_FAIL 46 /* Mutual authentication failed */
233 #define KRB_AP_ERR_BADDIRECTION 47 /* Incorrect message direction */
234 #define KRB_AP_ERR_METHOD 48 /* Alternative authentication */
235 /* method required */
236 #define KRB_AP_ERR_BADSEQ 49 /* Incorrect sequence numnber */
238 #define KRB_AP_ERR_INAPP_CKSUM 50 /* Inappropriate type of */
239 /* checksum in message */
240 #define KRB_AP_PATH_NOT_ACCEPTED 51 /* Policy rejects transited path */
241 #define KRB_ERR_RESPONSE_TOO_BIG 52 /* Response too big for UDP, */
245 #define KRB_ERR_GENERIC 60 /* Generic error (description */
247 #define KRB_ERR_FIELD_TOOLONG 61 /* Field is too long for impl. */
249 /* PKINIT server-reported errors */
250 #define KDC_ERR_CLIENT_NOT_TRUSTED 62 /* client cert not trusted */
251 #define KDC_ERR_INVALID_SIG 64 /* client signature verify failed */
252 #define KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED 65 /* invalid Diffie-Hellman parameters */
253 #define KDC_ERR_CANT_VERIFY_CERTIFICATE 70 /* client cert not verifiable to */
254 /* trusted root cert */
255 #define KDC_ERR_INVALID_CERTIFICATE 71 /* client cert had invalid signature */
256 #define KDC_ERR_REVOKED_CERTIFICATE 72 /* client cert was revoked */
257 #define KDC_ERR_REVOCATION_STATUS_UNKNOWN 73 /* client cert revoked, reason unknown */
258 #define KDC_ERR_CLIENT_NAME_MISMATCH 75 /* mismatch between client cert and */
260 #define KDC_ERR_INCONSISTENT_KEY_PURPOSE 77 /* bad extended key use */
261 #define KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED 78 /* bad digest algorithm in client cert */
262 #define KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED 79 /* missing paChecksum in PA-PK-AS-REQ */
263 #define KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED 80 /* bad digest algorithm in SignedData */
264 #define KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED 81
267 * This structure is returned in the e-data field of the KRB-ERROR
268 * message when the error calling for an alternative form of
269 * authentication is returned, KRB_AP_METHOD.
271 typedef struct _krb5_alt_method {
279 * A null-terminated array of this structure is returned by the KDC as
280 * the data part of the ETYPE_INFO preauth type. It informs the
281 * client which encryption types are supported.
282 * The same data structure is used by both etype-info and etype-info2
283 * but s2kparams must be null when encoding etype-info.
285 typedef struct _krb5_etype_info_entry {
291 } krb5_etype_info_entry;
294 * This is essentially -1 without sign extension which can screw up
295 * comparisons on 64 bit machines. If the length is this value, then
296 * the salt data is not present. This is to distinguish between not
297 * being set and being of 0 length.
299 #define KRB5_ETYPE_NO_SALT VALID_UINT_BITS
301 typedef krb5_etype_info_entry ** krb5_etype_info;
304 * a sam_challenge is returned for alternate preauth
307 SAMFlags ::= BIT STRING {
309 send-encrypted-sad[1],
310 must-pk-encrypt-sad[2]
314 PA-SAM-CHALLENGE ::= SEQUENCE {
316 sam-flags[1] SAMFlags,
317 sam-type-name[2] GeneralString OPTIONAL,
318 sam-track-id[3] GeneralString OPTIONAL,
319 sam-challenge-label[4] GeneralString OPTIONAL,
320 sam-challenge[5] GeneralString OPTIONAL,
321 sam-response-prompt[6] GeneralString OPTIONAL,
322 sam-pk-for-sad[7] EncryptionKey OPTIONAL,
323 sam-nonce[8] INTEGER OPTIONAL,
324 sam-cksum[9] Checksum OPTIONAL
327 /* sam_type values -- informational only */
328 #define PA_SAM_TYPE_ENIGMA 1 /* Enigma Logic */
329 #define PA_SAM_TYPE_DIGI_PATH 2 /* Digital Pathways */
330 #define PA_SAM_TYPE_SKEY_K0 3 /* S/key where KDC has key 0 */
331 #define PA_SAM_TYPE_SKEY 4 /* Traditional S/Key */
332 #define PA_SAM_TYPE_SECURID 5 /* Security Dynamics */
333 #define PA_SAM_TYPE_CRYPTOCARD 6 /* CRYPTOCard */
334 #if 1 /* XXX need to figure out who has which numbers assigned */
335 #define PA_SAM_TYPE_ACTIVCARD_DEC 6 /* ActivCard decimal mode */
336 #define PA_SAM_TYPE_ACTIVCARD_HEX 7 /* ActivCard hex mode */
337 #define PA_SAM_TYPE_DIGI_PATH_HEX 8 /* Digital Pathways hex mode */
339 #define PA_SAM_TYPE_EXP_BASE 128 /* experimental */
340 #define PA_SAM_TYPE_GRAIL (PA_SAM_TYPE_EXP_BASE+0) /* testing */
341 #define PA_SAM_TYPE_SECURID_PREDICT (PA_SAM_TYPE_EXP_BASE+1) /* special */
343 typedef struct _krb5_predicted_sam_response {
345 krb5_keyblock sam_key;
346 krb5_flags sam_flags; /* Makes key munging easier */
347 krb5_timestamp stime; /* time on server, for replay detection */
349 krb5_principal client;
350 krb5_data msd; /* mechanism specific data */
351 } krb5_predicted_sam_response;
353 typedef struct _krb5_sam_challenge {
355 krb5_int32 sam_type; /* information */
356 krb5_flags sam_flags; /* KRB5_SAM_* values */
357 krb5_data sam_type_name;
358 krb5_data sam_track_id;
359 krb5_data sam_challenge_label;
360 krb5_data sam_challenge;
361 krb5_data sam_response_prompt;
362 krb5_data sam_pk_for_sad;
363 krb5_int32 sam_nonce;
364 krb5_checksum sam_cksum;
365 } krb5_sam_challenge;
367 typedef struct _krb5_sam_key { /* reserved for future use */
369 krb5_keyblock sam_key;
372 typedef struct _krb5_enc_sam_response_enc {
374 krb5_int32 sam_nonce;
375 krb5_timestamp sam_timestamp;
378 } krb5_enc_sam_response_enc;
380 typedef struct _krb5_sam_response {
382 krb5_int32 sam_type; /* informational */
383 krb5_flags sam_flags; /* KRB5_SAM_* values */
384 krb5_data sam_track_id; /* copied */
385 krb5_enc_data sam_enc_key; /* krb5_sam_key - future use */
386 krb5_enc_data sam_enc_nonce_or_ts; /* krb5_enc_sam_response_enc */
387 krb5_int32 sam_nonce;
388 krb5_timestamp sam_patimestamp;
391 typedef struct _krb5_sam_challenge_2 {
392 krb5_data sam_challenge_2_body;
393 krb5_checksum **sam_cksum; /* Array of checksums */
394 } krb5_sam_challenge_2;
396 typedef struct _krb5_sam_challenge_2_body {
398 krb5_int32 sam_type; /* information */
399 krb5_flags sam_flags; /* KRB5_SAM_* values */
400 krb5_data sam_type_name;
401 krb5_data sam_track_id;
402 krb5_data sam_challenge_label;
403 krb5_data sam_challenge;
404 krb5_data sam_response_prompt;
405 krb5_data sam_pk_for_sad;
406 krb5_int32 sam_nonce;
407 krb5_enctype sam_etype;
408 } krb5_sam_challenge_2_body;
410 typedef struct _krb5_sam_response_2 {
412 krb5_int32 sam_type; /* informational */
413 krb5_flags sam_flags; /* KRB5_SAM_* values */
414 krb5_data sam_track_id; /* copied */
415 krb5_enc_data sam_enc_nonce_or_sad; /* krb5_enc_sam_response_enc */
416 krb5_int32 sam_nonce;
417 } krb5_sam_response_2;
419 typedef struct _krb5_enc_sam_response_enc_2 {
421 krb5_int32 sam_nonce;
423 } krb5_enc_sam_response_enc_2;
426 * Keep the pkinit definitions in a separate file so that the plugin
427 * only has to include k5-int-pkinit.h rather than k5-int.h
430 #include "k5-int-pkinit.h"
436 extern char *strdup (const char *);
443 #ifdef HAVE_SYS_TIME_H
444 #include <sys/time.h>
445 #ifdef TIME_WITH_SYS_TIME
452 #ifdef HAVE_SYS_STAT_H
453 #include <sys/stat.h> /* struct stat, stat() */
456 #ifdef HAVE_SYS_PARAM_H
457 #include <sys/param.h> /* MAXPATHLEN */
460 #ifdef HAVE_SYS_FILE_H
461 #include <sys/file.h> /* prototypes for file-related
462 syscalls; flags for open &
472 #include "k5-gmt_mktime.h"
475 struct sendto_callback_info;
478 krb5_error_code krb5_lock_file (krb5_context, int, int);
479 krb5_error_code krb5_unlock_file (krb5_context, int);
480 krb5_error_code krb5_sendto_kdc (krb5_context, const krb5_data *,
481 const krb5_data *, krb5_data *, int *, int);
483 krb5_error_code krb5int_sendto (krb5_context context, const krb5_data *message,
484 const struct addrlist *addrs, struct sendto_callback_info* callback_info,
485 krb5_data *reply, struct sockaddr *localaddr, socklen_t *localaddrlen,
486 struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, int *addr_used,
487 int (*msg_handler)(krb5_context, const krb5_data *, void *),
488 void *msg_handler_data);
490 krb5_error_code krb5_get_krbhst (krb5_context, const krb5_data *, char *** );
491 krb5_error_code krb5_free_krbhst (krb5_context, char * const * );
492 krb5_error_code krb5_create_secure_file (krb5_context, const char * pathname);
493 krb5_error_code krb5_sync_disk_file (krb5_context, FILE *fp);
495 krb5_error_code krb5int_get_fq_local_hostname (char *, size_t);
497 krb5_error_code krb5int_init_context_kdc(krb5_context *);
499 krb5_error_code krb5_os_init_context (krb5_context, krb5_boolean);
501 void krb5_os_free_context (krb5_context);
503 /* This function is needed by KfM's KerberosPreferences API
504 * because it needs to be able to specify "secure" */
505 krb5_error_code os_get_default_config_files
506 (profile_filespec_t **pfiles, krb5_boolean secure);
508 krb5_error_code krb5_os_hostaddr
509 (krb5_context, const char *, krb5_address ***);
511 /* N.B.: You need to include fake-addrinfo.h *before* k5-int.h if you're
512 going to use this structure. */
518 struct undefined_addrinfo *ai;
520 void (*freefn)(void *);
526 #define ADDRLIST_INIT { 0, 0, 0 }
527 extern void krb5int_free_addrlist (struct addrlist *);
528 extern int krb5int_grow_addrlist (struct addrlist *, int);
529 extern int krb5int_add_host_to_list (struct addrlist *, const char *,
532 #include <krb5/locate_plugin.h>
534 krb5int_locate_server (krb5_context, const krb5_data *realm,
535 struct addrlist *, enum locate_service_type svc,
536 int sockettype, int family);
538 /* new encryption provider api */
540 struct krb5_enc_provider {
541 /* keybytes is the input size to make_key;
542 keylength is the output size */
543 size_t block_size, keybytes, keylength;
545 /* cipher-state == 0 fresh state thrown away at end */
546 krb5_error_code (*encrypt) (const krb5_keyblock *key,
547 const krb5_data *cipher_state,
548 const krb5_data *input,
551 krb5_error_code (*decrypt) (const krb5_keyblock *key,
552 const krb5_data *ivec,
553 const krb5_data *input,
556 krb5_error_code (*make_key) (const krb5_data *randombits,
559 krb5_error_code (*init_state) (const krb5_keyblock *key,
560 krb5_keyusage keyusage, krb5_data *out_state);
561 krb5_error_code (*free_state) (krb5_data *state);
565 struct krb5_hash_provider {
566 size_t hashsize, blocksize;
568 /* this takes multiple inputs to avoid lots of copying. */
569 krb5_error_code (*hash) (unsigned int icount, const krb5_data *input,
573 struct krb5_keyhash_provider {
576 krb5_error_code (*hash) (const krb5_keyblock *key,
577 krb5_keyusage keyusage,
578 const krb5_data *ivec,
579 const krb5_data *input,
582 krb5_error_code (*verify) (const krb5_keyblock *key,
583 krb5_keyusage keyusage,
584 const krb5_data *ivec,
585 const krb5_data *input,
586 const krb5_data *hash,
587 krb5_boolean *valid);
590 typedef void (*krb5_encrypt_length_func) (const struct krb5_enc_provider *enc,
591 const struct krb5_hash_provider *hash,
592 size_t inputlen, size_t *length);
594 typedef krb5_error_code (*krb5_crypt_func) (const struct krb5_enc_provider *enc,
595 const struct krb5_hash_provider *hash,
596 const krb5_keyblock *key, krb5_keyusage keyusage,
597 const krb5_data *ivec,
598 const krb5_data *input, krb5_data *output);
600 typedef krb5_error_code (*krb5_str2key_func) (const struct krb5_enc_provider *enc, const krb5_data *string,
601 const krb5_data *salt, const krb5_data *parm, krb5_keyblock *key);
603 typedef krb5_error_code (*krb5_prf_func)(
604 const struct krb5_enc_provider *enc,
605 const struct krb5_hash_provider *hash,
606 const krb5_keyblock *key,
607 const krb5_data *in, krb5_data *out);
609 struct krb5_keytypes {
613 const struct krb5_enc_provider *enc;
614 const struct krb5_hash_provider *hash;
616 krb5_encrypt_length_func encrypt_len;
617 krb5_crypt_func encrypt;
618 krb5_crypt_func decrypt;
619 krb5_str2key_func str2key;
621 krb5_cksumtype required_ctype;
624 struct krb5_cksumtypes {
625 krb5_cksumtype ctype;
629 /* if the hash is keyed, this is the etype it is keyed with.
630 Actually, it can be keyed by any etype which has the same
631 enc_provider as the specified etype. DERIVE checksums can
632 be keyed with any valid etype. */
633 krb5_enctype keyed_etype;
634 /* I can't statically initialize a union, so I'm just going to use
635 two pointers here. The keyhash is used if non-NULL. If NULL,
636 then HMAC/hash with derived keys is used if the relevant flag
637 is set. Otherwise, a non-keyed hash is computed. This is all
638 kind of messy, but so is the krb5 api. */
639 const struct krb5_keyhash_provider *keyhash;
640 const struct krb5_hash_provider *hash;
641 /* This just gets uglier and uglier. In the key derivation case,
642 we produce an hmac. To make the hmac code work, we can't hack
643 the output size indicated by the hash provider, but we may want
644 a truncated hmac. If we want truncation, this is the number of
645 bytes we truncate to; it should be 0 otherwise. */
646 unsigned int trunc_size;
649 #define KRB5_CKSUMFLAG_DERIVE 0x0001
650 #define KRB5_CKSUMFLAG_NOT_COLL_PROOF 0x0002
653 * in here to deal with stuff from lib/crypto
657 (unsigned int inbits, const unsigned char *in,
658 unsigned int outbits, unsigned char *out);
660 krb5_error_code krb5_hmac
661 (const struct krb5_hash_provider *hash,
662 const krb5_keyblock *key, unsigned int icount,
663 const krb5_data *input, krb5_data *output);
665 krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
669 /* Make this a function eventually? */
671 # define krb5int_zap_data(ptr, len) SecureZeroMemory(ptr, len)
672 #elif defined(__GNUC__)
673 static inline void krb5int_zap_data(void *ptr, size_t len)
676 asm volatile ("" : : "g" (ptr), "g" (len));
679 # define krb5int_zap_data(ptr, len) memset((volatile void *)ptr, 0, len)
681 #define zap(p,l) krb5int_zap_data(p,l)
683 /* A definition of init_state for DES based encryption systems.
684 * sets up an 8-byte IV of all zeros
687 krb5_error_code krb5int_des_init_state
688 (const krb5_keyblock *key, krb5_keyusage keyusage, krb5_data *new_state);
691 * normally to free a cipher_state you can just memset the length to zero and
694 krb5_error_code krb5int_default_free_state
699 * Combine two keys (normally used by the hardware preauth mechanism)
701 krb5_error_code krb5int_c_combine_keys
702 (krb5_context context, krb5_keyblock *key1, krb5_keyblock *key2,
703 krb5_keyblock *outkey);
705 void krb5int_c_free_keyblock
706 (krb5_context, krb5_keyblock *key);
707 void krb5int_c_free_keyblock_contents
708 (krb5_context, krb5_keyblock *);
709 krb5_error_code krb5int_c_init_keyblock
710 (krb5_context, krb5_enctype enctype,
711 size_t length, krb5_keyblock **out);
714 * Internal - for cleanup.
716 extern void krb5int_prng_cleanup (void);
720 * These declarations are here, so both krb5 and k5crypto
722 * krb5 needs to get to them so it can make them available to libgssapi.
724 extern const struct krb5_enc_provider krb5int_enc_arcfour;
725 extern const struct krb5_hash_provider krb5int_hash_md5;
728 #ifdef KRB5_OLD_CRYPTO
729 /* old provider api */
731 krb5_error_code krb5_crypto_os_localaddr
734 krb5_error_code krb5_crypto_us_timeofday
738 #endif /* KRB5_OLD_CRYPTO */
740 /* this helper fct is in libkrb5, but it makes sense declared here. */
742 krb5_error_code krb5_encrypt_helper
743 (krb5_context context, const krb5_keyblock *key,
744 krb5_keyusage keyusage, const krb5_data *plain,
745 krb5_enc_data *cipher);
751 typedef struct _krb5_os_context {
753 krb5_int32 time_offset;
754 krb5_int32 usec_offset;
756 char * default_ccname;
760 * Flags for the os_flags field
762 * KRB5_OS_TOFFSET_VALID means that the time offset fields are valid.
763 * The intention is that this facility to correct the system clocks so
764 * that they reflect the "real" time, for systems where for some
765 * reason we can't set the system clock. Instead we calculate the
766 * offset between the system time and real time, and store the offset
767 * in the os context so that we can correct the system clock as necessary.
769 * KRB5_OS_TOFFSET_TIME means that the time offset fields should be
770 * returned as the time by the krb5 time routines. This should only
771 * be used for testing purposes (obviously!)
773 #define KRB5_OS_TOFFSET_VALID 1
774 #define KRB5_OS_TOFFSET_TIME 2
776 /* lock mode flags */
777 #define KRB5_LOCKMODE_SHARED 0x0001
778 #define KRB5_LOCKMODE_EXCLUSIVE 0x0002
779 #define KRB5_LOCKMODE_DONTBLOCK 0x0004
780 #define KRB5_LOCKMODE_UNLOCK 0x0008
783 * Define our view of the size of a DES key.
785 #define KRB5_MIT_DES_KEYSIZE 8
787 * Check if des_int.h has been included before us. If so, then check to see
788 * that our view of the DES key size is the same as des_int.h's.
790 #ifdef MIT_DES_KEYSIZE
791 #if MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE
792 error(MIT_DES_KEYSIZE does not equal KRB5_MIT_DES_KEYSIZE)
793 #endif /* MIT_DES_KEYSIZE != KRB5_MIT_DES_KEYSIZE */
794 #endif /* MIT_DES_KEYSIZE */
799 * (Originally written by Glen Machin at Sandia Labs.)
802 * Sandia National Laboratories also makes no representations about the
803 * suitability of the modifications, or additions to this software for
804 * any purpose. It is provided "as is" without express or implied warranty.
807 #ifndef KRB5_PREAUTH__
808 #define KRB5_PREAUTH__
810 #include <krb5/preauth_plugin.h>
812 #define CLIENT_ROCK_MAGIC 0x4352434b
813 /* This structure is passed into the client preauth functions and passed
814 * back to the "get_data_proc" function so that it can locate the
815 * requested information. It is opaque to the plugin code and can be
816 * expanded in the future as new types of requests are defined which
817 * may require other things to be passed through. */
818 typedef struct _krb5_preauth_client_rock {
820 krb5_kdc_rep *as_reply;
821 } krb5_preauth_client_rock;
823 /* This structure lets us keep track of all of the modules which are loaded,
824 * turning the list of modules and their lists of implemented preauth types
825 * into a single list which we can walk easily. */
826 typedef struct _krb5_preauth_context {
828 struct _krb5_preauth_context_module {
829 /* Which of the possibly more than one preauth types which the
830 * module supports we're using at this point in the list. */
831 krb5_preauthtype pa_type;
832 /* Encryption types which the client claims to support -- we
833 * copy them directly into the krb5_kdc_req structure during
834 * krb5_preauth_prepare_request(). */
835 krb5_enctype *enctypes;
836 /* The plugin's per-plugin context and a function to clear it. */
837 void *plugin_context;
838 preauth_client_plugin_fini_proc client_fini;
839 /* The module's table, and some of its members, copied here for
840 * convenience when we populated the list. */
841 struct krb5plugin_preauth_client_ftable_v1 *ftable;
843 int flags, use_count;
844 preauth_client_process_proc client_process;
845 preauth_client_tryagain_proc client_tryagain;
846 preauth_client_supply_gic_opts_proc client_supply_gic_opts;
847 preauth_client_request_init_proc client_req_init;
848 preauth_client_request_fini_proc client_req_fini;
849 /* The per-request context which the client_req_init() function
850 * might allocate, which we'll need to clean up later by
851 * calling the client_req_fini() function. */
852 void *request_context;
853 /* A pointer to the request_context pointer. All modules within
854 * a plugin will point at the request_context of the first
855 * module within the plugin. */
856 void **request_context_pp;
858 } krb5_preauth_context;
860 typedef struct _krb5_pa_enc_ts {
861 krb5_timestamp patimestamp;
865 typedef krb5_error_code (*krb5_preauth_obtain_proc)
870 krb5_error_code ( * )(krb5_context,
880 typedef krb5_error_code (*krb5_preauth_process_proc)
885 krb5_error_code ( * )(krb5_context,
891 krb5_error_code ( * )(krb5_context,
892 const krb5_keyblock *,
900 typedef struct _krb5_preauth_ops {
904 krb5_preauth_obtain_proc obtain;
905 krb5_preauth_process_proc process;
908 krb5_error_code krb5_obtain_padata
911 krb5_error_code ( * )(krb5_context,
920 krb5_error_code krb5_process_padata
924 krb5_error_code ( * )(krb5_context,
930 krb5_error_code ( * )(krb5_context,
931 const krb5_keyblock *,
938 void krb5_free_etype_info
939 (krb5_context, krb5_etype_info);
942 * Preauthentication property flags
944 #define KRB5_PREAUTH_FLAGS_ENCRYPT 0x00000001
945 #define KRB5_PREAUTH_FLAGS_HARDWARE 0x00000002
947 #endif /* KRB5_PREAUTH__ */
953 * Extending the krb5_get_init_creds_opt structure. The original
954 * krb5_get_init_creds_opt structure is defined publicly. The
955 * new extended version is private. The original interface
956 * assumed a pre-allocated structure which was passed to
957 * krb5_get_init_creds_init(). The new interface assumes that
958 * the caller will call krb5_get_init_creds_alloc() and
959 * krb5_get_init_creds_free().
961 * Callers MUST NOT call krb5_get_init_creds_init() after allocating an
962 * opts structure using krb5_get_init_creds_alloc(). To do so will
963 * introduce memory leaks. Unfortunately, there is no way to enforce
966 * Two private flags are added for backward compatibility.
967 * KRB5_GET_INIT_CREDS_OPT_EXTENDED says that the structure was allocated
968 * with the new krb5_get_init_creds_opt_alloc() function.
969 * KRB5_GET_INIT_CREDS_OPT_SHADOWED is set to indicate that the extended
970 * structure is a shadow copy of an original krb5_get_init_creds_opt
972 * If KRB5_GET_INIT_CREDS_OPT_SHADOWED is set after a call to
973 * krb5int_gic_opt_to_opte(), the resulting extended structure should be
974 * freed (using krb5_get_init_creds_free). Otherwise, the original
975 * structure was already extended and there is no need to free it.
978 #define KRB5_GET_INIT_CREDS_OPT_EXTENDED 0x80000000
979 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
981 #define krb5_gic_opt_is_extended(s) \
982 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
983 #define krb5_gic_opt_is_shadowed(s) \
984 ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
987 typedef struct _krb5_gic_opt_private {
988 int num_preauth_data;
989 krb5_gic_opt_pa_data *preauth_data;
990 } krb5_gic_opt_private;
993 * On the Mac, ensure that the layout of krb5_gic_opt_ext matches that
994 * of krb5_get_init_creds_opt.
997 # pragma pack(push,2)
1000 typedef struct _krb5_gic_opt_ext {
1002 krb5_deltat tkt_life;
1003 krb5_deltat renew_life;
1006 krb5_enctype *etype_list;
1007 int etype_list_length;
1008 krb5_address **address_list;
1009 krb5_preauthtype *preauth_list;
1010 int preauth_list_length;
1013 * Do not change anything above this point in this structure.
1014 * It is identical to the public krb5_get_init_creds_opt structure.
1015 * New members must be added below.
1017 krb5_gic_opt_private *opt_private;
1025 krb5int_gic_opt_to_opte(krb5_context context,
1026 krb5_get_init_creds_opt *opt,
1027 krb5_gic_opt_ext **opte,
1032 krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
1035 krb5int_copy_creds_contents (krb5_context, const krb5_creds *, krb5_creds *);
1037 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
1042 void *prompter_data,
1044 krb5_data *s2kparams,
1045 krb5_keyblock *as_key,
1048 krb5_error_code KRB5_CALLCONV
1050 (krb5_context context,
1052 krb5_principal client,
1053 krb5_prompter_fct prompter,
1054 void *prompter_data,
1055 krb5_deltat start_time,
1056 char *in_tkt_service,
1057 krb5_gic_opt_ext *gic_options,
1058 krb5_gic_get_as_key_fct gak,
1061 krb5_kdc_rep **as_reply);
1063 krb5_error_code krb5int_populate_gic_opt (
1064 krb5_context, krb5_gic_opt_ext **,
1065 krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
1066 krb5_preauthtype *pre_auth_types, krb5_creds *creds);
1069 krb5_error_code KRB5_CALLCONV krb5_do_preauth
1070 (krb5_context context,
1071 krb5_kdc_req *request,
1072 krb5_data *encoded_request_body,
1073 krb5_data *encoded_previous_request,
1074 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1075 krb5_data *salt, krb5_data *s2kparams,
1076 krb5_enctype *etype, krb5_keyblock *as_key,
1077 krb5_prompter_fct prompter, void *prompter_data,
1078 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1079 krb5_preauth_client_rock *get_data_rock,
1080 krb5_gic_opt_ext *opte);
1081 krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain
1082 (krb5_context context,
1083 krb5_kdc_req *request,
1084 krb5_data *encoded_request_body,
1085 krb5_data *encoded_previous_request,
1086 krb5_pa_data **in_padata, krb5_pa_data ***out_padata,
1087 krb5_error *err_reply,
1088 krb5_data *salt, krb5_data *s2kparams,
1089 krb5_enctype *etype, krb5_keyblock *as_key,
1090 krb5_prompter_fct prompter, void *prompter_data,
1091 krb5_gic_get_as_key_fct gak_fct, void *gak_data,
1092 krb5_preauth_client_rock *get_data_rock,
1093 krb5_gic_opt_ext *opte);
1094 void KRB5_CALLCONV krb5_init_preauth_context
1096 void KRB5_CALLCONV krb5_free_preauth_context
1098 void KRB5_CALLCONV krb5_clear_preauth_context_use_counts
1100 void KRB5_CALLCONV krb5_preauth_prepare_request
1101 (krb5_context, krb5_gic_opt_ext *, krb5_kdc_req *);
1102 void KRB5_CALLCONV krb5_preauth_request_context_init
1104 void KRB5_CALLCONV krb5_preauth_request_context_fini
1107 void KRB5_CALLCONV krb5_free_sam_challenge
1108 (krb5_context, krb5_sam_challenge * );
1109 void KRB5_CALLCONV krb5_free_sam_challenge_2
1110 (krb5_context, krb5_sam_challenge_2 * );
1111 void KRB5_CALLCONV krb5_free_sam_challenge_2_body
1112 (krb5_context, krb5_sam_challenge_2_body *);
1113 void KRB5_CALLCONV krb5_free_sam_response
1114 (krb5_context, krb5_sam_response * );
1115 void KRB5_CALLCONV krb5_free_sam_response_2
1116 (krb5_context, krb5_sam_response_2 * );
1117 void KRB5_CALLCONV krb5_free_predicted_sam_response
1118 (krb5_context, krb5_predicted_sam_response * );
1119 void KRB5_CALLCONV krb5_free_enc_sam_response_enc
1120 (krb5_context, krb5_enc_sam_response_enc * );
1121 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2
1122 (krb5_context, krb5_enc_sam_response_enc_2 * );
1123 void KRB5_CALLCONV krb5_free_sam_challenge_contents
1124 (krb5_context, krb5_sam_challenge * );
1125 void KRB5_CALLCONV krb5_free_sam_challenge_2_contents
1126 (krb5_context, krb5_sam_challenge_2 * );
1127 void KRB5_CALLCONV krb5_free_sam_challenge_2_body_contents
1128 (krb5_context, krb5_sam_challenge_2_body * );
1129 void KRB5_CALLCONV krb5_free_sam_response_contents
1130 (krb5_context, krb5_sam_response * );
1131 void KRB5_CALLCONV krb5_free_sam_response_2_contents
1132 (krb5_context, krb5_sam_response_2 *);
1133 void KRB5_CALLCONV krb5_free_predicted_sam_response_contents
1134 (krb5_context, krb5_predicted_sam_response * );
1135 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_contents
1136 (krb5_context, krb5_enc_sam_response_enc * );
1137 void KRB5_CALLCONV krb5_free_enc_sam_response_enc_2_contents
1138 (krb5_context, krb5_enc_sam_response_enc_2 * );
1140 void KRB5_CALLCONV krb5_free_pa_enc_ts
1141 (krb5_context, krb5_pa_enc_ts *);
1143 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
1144 #include "com_err.h"
1145 #include "k5-plugin.h"
1147 struct _kdb5_dal_handle; /* private, in kdb5.h */
1148 typedef struct _kdb5_dal_handle kdb5_dal_handle;
1149 struct _kdb_log_context;
1150 struct _krb5_context {
1152 krb5_enctype *in_tkt_ktypes;
1153 unsigned int in_tkt_ktype_count;
1154 krb5_enctype *tgs_ktypes;
1155 unsigned int tgs_ktype_count;
1156 struct _krb5_os_context os_context;
1157 char *default_realm;
1159 kdb5_dal_handle *dal_handle;
1162 /* allowable clock skew */
1163 krb5_deltat clockskew;
1164 krb5_cksumtype kdc_req_sumtype;
1165 krb5_cksumtype default_ap_req_sumtype;
1166 krb5_cksumtype default_safe_sumtype;
1167 krb5_flags kdc_default_options;
1168 krb5_flags library_options;
1169 krb5_boolean profile_secure;
1170 int fcc_default_format;
1171 krb5_prompt_type *prompt_types;
1172 /* Message size above which we'll try TCP first in send-to-kdc
1173 type code. Aside from the 2**16 size limit, we put no
1174 absolute limit on the UDP packet size. */
1177 /* Use the config-file ktypes instead of app-specified? */
1178 krb5_boolean use_conf_ktypes;
1180 #ifdef KRB5_DNS_LOOKUP
1181 krb5_boolean profile_in_memory;
1182 #endif /* KRB5_DNS_LOOKUP */
1184 /* locate_kdc module stuff */
1185 struct plugin_dir_handle libkrb5_plugins;
1186 struct krb5plugin_service_locate_ftable *vtbl;
1187 void (**locate_fptrs)(void);
1189 /* preauth module stuff */
1190 struct plugin_dir_handle preauth_plugins;
1191 krb5_preauth_context *preauth_context;
1193 /* error detail info */
1196 /* For Sun iprop code; does this really have to be here? */
1197 struct _kdb_log_context *kdblog_context;
1200 /* could be used in a table to find an etype and initialize a block */
1203 #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
1205 /* internal message representations */
1207 typedef struct _krb5_safe {
1209 krb5_data user_data; /* user data */
1210 krb5_timestamp timestamp; /* client time, optional */
1211 krb5_int32 usec; /* microsecond portion of time,
1213 krb5_ui_4 seq_number; /* sequence #, optional */
1214 krb5_address *s_address; /* sender address */
1215 krb5_address *r_address; /* recipient address, optional */
1216 krb5_checksum *checksum; /* data integrity checksum */
1219 typedef struct _krb5_priv {
1221 krb5_enc_data enc_part; /* encrypted part */
1224 typedef struct _krb5_priv_enc_part {
1226 krb5_data user_data; /* user data */
1227 krb5_timestamp timestamp; /* client time, optional */
1228 krb5_int32 usec; /* microsecond portion of time, opt. */
1229 krb5_ui_4 seq_number; /* sequence #, optional */
1230 krb5_address *s_address; /* sender address */
1231 krb5_address *r_address; /* recipient address, optional */
1232 } krb5_priv_enc_part;
1234 void KRB5_CALLCONV krb5_free_safe
1235 (krb5_context, krb5_safe * );
1236 void KRB5_CALLCONV krb5_free_priv
1237 (krb5_context, krb5_priv * );
1238 void KRB5_CALLCONV krb5_free_priv_enc_part
1239 (krb5_context, krb5_priv_enc_part * );
1247 /* ASN.1 encoding knowledge; KEEP IN SYNC WITH ASN.1 defs! */
1248 /* here we use some knowledge of ASN.1 encodings */
1250 Ticket is APPLICATION 1.
1251 Authenticator is APPLICATION 2.
1252 AS_REQ is APPLICATION 10.
1253 AS_REP is APPLICATION 11.
1254 TGS_REQ is APPLICATION 12.
1255 TGS_REP is APPLICATION 13.
1256 AP_REQ is APPLICATION 14.
1257 AP_REP is APPLICATION 15.
1258 KRB_SAFE is APPLICATION 20.
1259 KRB_PRIV is APPLICATION 21.
1260 KRB_CRED is APPLICATION 22.
1261 EncASRepPart is APPLICATION 25.
1262 EncTGSRepPart is APPLICATION 26.
1263 EncAPRepPart is APPLICATION 27.
1264 EncKrbPrivPart is APPLICATION 28.
1265 EncKrbCredPart is APPLICATION 29.
1266 KRB_ERROR is APPLICATION 30.
1268 /* allow either constructed or primitive encoding, so check for bit 6
1270 #define krb5_is_krb_ticket(dat)\
1271 ((dat) && (dat)->length && ((dat)->data[0] == 0x61 ||\
1272 (dat)->data[0] == 0x41))
1273 #define krb5_is_krb_authenticator(dat)\
1274 ((dat) && (dat)->length && ((dat)->data[0] == 0x62 ||\
1275 (dat)->data[0] == 0x42))
1276 #define krb5_is_as_req(dat)\
1277 ((dat) && (dat)->length && ((dat)->data[0] == 0x6a ||\
1278 (dat)->data[0] == 0x4a))
1279 #define krb5_is_as_rep(dat)\
1280 ((dat) && (dat)->length && ((dat)->data[0] == 0x6b ||\
1281 (dat)->data[0] == 0x4b))
1282 #define krb5_is_tgs_req(dat)\
1283 ((dat) && (dat)->length && ((dat)->data[0] == 0x6c ||\
1284 (dat)->data[0] == 0x4c))
1285 #define krb5_is_tgs_rep(dat)\
1286 ((dat) && (dat)->length && ((dat)->data[0] == 0x6d ||\
1287 (dat)->data[0] == 0x4d))
1288 #define krb5_is_ap_req(dat)\
1289 ((dat) && (dat)->length && ((dat)->data[0] == 0x6e ||\
1290 (dat)->data[0] == 0x4e))
1291 #define krb5_is_ap_rep(dat)\
1292 ((dat) && (dat)->length && ((dat)->data[0] == 0x6f ||\
1293 (dat)->data[0] == 0x4f))
1294 #define krb5_is_krb_safe(dat)\
1295 ((dat) && (dat)->length && ((dat)->data[0] == 0x74 ||\
1296 (dat)->data[0] == 0x54))
1297 #define krb5_is_krb_priv(dat)\
1298 ((dat) && (dat)->length && ((dat)->data[0] == 0x75 ||\
1299 (dat)->data[0] == 0x55))
1300 #define krb5_is_krb_cred(dat)\
1301 ((dat) && (dat)->length && ((dat)->data[0] == 0x76 ||\
1302 (dat)->data[0] == 0x56))
1303 #define krb5_is_krb_enc_as_rep_part(dat)\
1304 ((dat) && (dat)->length && ((dat)->data[0] == 0x79 ||\
1305 (dat)->data[0] == 0x59))
1306 #define krb5_is_krb_enc_tgs_rep_part(dat)\
1307 ((dat) && (dat)->length && ((dat)->data[0] == 0x7a ||\
1308 (dat)->data[0] == 0x5a))
1309 #define krb5_is_krb_enc_ap_rep_part(dat)\
1310 ((dat) && (dat)->length && ((dat)->data[0] == 0x7b ||\
1311 (dat)->data[0] == 0x5b))
1312 #define krb5_is_krb_enc_krb_priv_part(dat)\
1313 ((dat) && (dat)->length && ((dat)->data[0] == 0x7c ||\
1314 (dat)->data[0] == 0x5c))
1315 #define krb5_is_krb_enc_krb_cred_part(dat)\
1316 ((dat) && (dat)->length && ((dat)->data[0] == 0x7d ||\
1317 (dat)->data[0] == 0x5d))
1318 #define krb5_is_krb_error(dat)\
1319 ((dat) && (dat)->length && ((dat)->data[0] == 0x7e ||\
1320 (dat)->data[0] == 0x5e))
1322 /*************************************************************************
1323 * Prototypes for krb5_encode.c
1324 *************************************************************************/
1327 krb5_error_code encode_krb5_structure(const krb5_structure *rep,
1330 effects Returns the ASN.1 encoding of *rep in **code.
1331 Returns ASN1_MISSING_FIELD if a required field is emtpy in *rep.
1332 Returns ENOMEM if memory runs out.
1335 krb5_error_code encode_krb5_authenticator
1336 (const krb5_authenticator *rep, krb5_data **code);
1338 krb5_error_code encode_krb5_ticket
1339 (const krb5_ticket *rep, krb5_data **code);
1341 krb5_error_code encode_krb5_encryption_key
1342 (const krb5_keyblock *rep, krb5_data **code);
1344 krb5_error_code encode_krb5_enc_tkt_part
1345 (const krb5_enc_tkt_part *rep, krb5_data **code);
1347 krb5_error_code encode_krb5_enc_kdc_rep_part
1348 (const krb5_enc_kdc_rep_part *rep, krb5_data **code);
1350 /* yes, the translation is identical to that used for KDC__REP */
1351 krb5_error_code encode_krb5_as_rep
1352 (const krb5_kdc_rep *rep, krb5_data **code);
1354 /* yes, the translation is identical to that used for KDC__REP */
1355 krb5_error_code encode_krb5_tgs_rep
1356 (const krb5_kdc_rep *rep, krb5_data **code);
1358 krb5_error_code encode_krb5_ap_req
1359 (const krb5_ap_req *rep, krb5_data **code);
1361 krb5_error_code encode_krb5_ap_rep
1362 (const krb5_ap_rep *rep, krb5_data **code);
1364 krb5_error_code encode_krb5_ap_rep_enc_part
1365 (const krb5_ap_rep_enc_part *rep, krb5_data **code);
1367 krb5_error_code encode_krb5_as_req
1368 (const krb5_kdc_req *rep, krb5_data **code);
1370 krb5_error_code encode_krb5_tgs_req
1371 (const krb5_kdc_req *rep, krb5_data **code);
1373 krb5_error_code encode_krb5_kdc_req_body
1374 (const krb5_kdc_req *rep, krb5_data **code);
1376 krb5_error_code encode_krb5_safe
1377 (const krb5_safe *rep, krb5_data **code);
1379 krb5_error_code encode_krb5_safe_with_body
1380 (const krb5_safe *rep, const krb5_data *body, krb5_data **code);
1382 krb5_error_code encode_krb5_priv
1383 (const krb5_priv *rep, krb5_data **code);
1385 krb5_error_code encode_krb5_enc_priv_part
1386 (const krb5_priv_enc_part *rep, krb5_data **code);
1388 krb5_error_code encode_krb5_cred
1389 (const krb5_cred *rep, krb5_data **code);
1391 krb5_error_code encode_krb5_enc_cred_part
1392 (const krb5_cred_enc_part *rep, krb5_data **code);
1394 krb5_error_code encode_krb5_error
1395 (const krb5_error *rep, krb5_data **code);
1397 krb5_error_code encode_krb5_authdata
1398 (const krb5_authdata **rep, krb5_data **code);
1400 krb5_error_code encode_krb5_authdata_elt
1401 (const krb5_authdata *rep, krb5_data **code);
1403 krb5_error_code encode_krb5_pwd_sequence
1404 (const passwd_phrase_element *rep, krb5_data **code);
1406 krb5_error_code encode_krb5_pwd_data
1407 (const krb5_pwd_data *rep, krb5_data **code);
1409 krb5_error_code encode_krb5_padata_sequence
1410 (const krb5_pa_data ** rep, krb5_data **code);
1412 krb5_error_code encode_krb5_alt_method
1413 (const krb5_alt_method *, krb5_data **code);
1415 krb5_error_code encode_krb5_etype_info
1416 (const krb5_etype_info_entry **, krb5_data **code);
1417 krb5_error_code encode_krb5_etype_info2
1418 (const krb5_etype_info_entry **, krb5_data **code);
1420 krb5_error_code encode_krb5_enc_data
1421 (const krb5_enc_data *, krb5_data **);
1423 krb5_error_code encode_krb5_pa_enc_ts
1424 (const krb5_pa_enc_ts *, krb5_data **);
1426 krb5_error_code encode_krb5_sam_challenge
1427 (const krb5_sam_challenge * , krb5_data **);
1429 krb5_error_code encode_krb5_sam_key
1430 (const krb5_sam_key * , krb5_data **);
1432 krb5_error_code encode_krb5_enc_sam_response_enc
1433 (const krb5_enc_sam_response_enc * , krb5_data **);
1435 krb5_error_code encode_krb5_sam_response
1436 (const krb5_sam_response * , krb5_data **);
1438 krb5_error_code encode_krb5_sam_challenge_2
1439 (const krb5_sam_challenge_2 * , krb5_data **);
1441 krb5_error_code encode_krb5_sam_challenge_2_body
1442 (const krb5_sam_challenge_2_body * , krb5_data **);
1444 krb5_error_code encode_krb5_enc_sam_response_enc_2
1445 (const krb5_enc_sam_response_enc_2 * , krb5_data **);
1447 krb5_error_code encode_krb5_sam_response_2
1448 (const krb5_sam_response_2 * , krb5_data **);
1450 krb5_error_code encode_krb5_predicted_sam_response
1451 (const krb5_predicted_sam_response * , krb5_data **);
1453 krb5_error_code encode_krb5_setpw_req
1454 (const krb5_principal target, char *password, krb5_data **code);
1456 /*************************************************************************
1457 * End of prototypes for krb5_encode.c
1458 *************************************************************************/
1460 krb5_error_code decode_krb5_sam_challenge
1461 (const krb5_data *, krb5_sam_challenge **);
1463 krb5_error_code decode_krb5_enc_sam_key
1464 (const krb5_data *, krb5_sam_key **);
1466 krb5_error_code decode_krb5_enc_sam_response_enc
1467 (const krb5_data *, krb5_enc_sam_response_enc **);
1469 krb5_error_code decode_krb5_sam_response
1470 (const krb5_data *, krb5_sam_response **);
1472 krb5_error_code decode_krb5_predicted_sam_response
1473 (const krb5_data *, krb5_predicted_sam_response **);
1475 krb5_error_code decode_krb5_sam_challenge_2
1476 (const krb5_data *, krb5_sam_challenge_2 **);
1478 krb5_error_code decode_krb5_sam_challenge_2_body
1479 (const krb5_data *, krb5_sam_challenge_2_body **);
1481 krb5_error_code decode_krb5_enc_sam_response_enc_2
1482 (const krb5_data *, krb5_enc_sam_response_enc_2 **);
1484 krb5_error_code decode_krb5_sam_response_2
1485 (const krb5_data *, krb5_sam_response_2 **);
1488 /*************************************************************************
1489 * Prototypes for krb5_decode.c
1490 *************************************************************************/
1492 krb5_error_code krb5_validate_times
1494 krb5_ticket_times *);
1497 krb5_error_code decode_krb5_structure(const krb5_data *code,
1498 krb5_structure **rep);
1500 requires Expects **rep to not have been allocated;
1501 a new *rep is allocated regardless of the old value.
1502 effects Decodes *code into **rep.
1503 Returns ENOMEM if memory is exhausted.
1504 Returns asn1 and krb5 errors.
1507 krb5_error_code decode_krb5_authenticator
1508 (const krb5_data *code, krb5_authenticator **rep);
1510 krb5_error_code decode_krb5_ticket
1511 (const krb5_data *code, krb5_ticket **rep);
1513 krb5_error_code decode_krb5_encryption_key
1514 (const krb5_data *output, krb5_keyblock **rep);
1516 krb5_error_code decode_krb5_enc_tkt_part
1517 (const krb5_data *output, krb5_enc_tkt_part **rep);
1519 krb5_error_code decode_krb5_enc_kdc_rep_part
1520 (const krb5_data *output, krb5_enc_kdc_rep_part **rep);
1522 krb5_error_code decode_krb5_as_rep
1523 (const krb5_data *output, krb5_kdc_rep **rep);
1525 krb5_error_code decode_krb5_tgs_rep
1526 (const krb5_data *output, krb5_kdc_rep **rep);
1528 krb5_error_code decode_krb5_ap_req
1529 (const krb5_data *output, krb5_ap_req **rep);
1531 krb5_error_code decode_krb5_ap_rep
1532 (const krb5_data *output, krb5_ap_rep **rep);
1534 krb5_error_code decode_krb5_ap_rep_enc_part
1535 (const krb5_data *output, krb5_ap_rep_enc_part **rep);
1537 krb5_error_code decode_krb5_as_req
1538 (const krb5_data *output, krb5_kdc_req **rep);
1540 krb5_error_code decode_krb5_tgs_req
1541 (const krb5_data *output, krb5_kdc_req **rep);
1543 krb5_error_code decode_krb5_kdc_req_body
1544 (const krb5_data *output, krb5_kdc_req **rep);
1546 krb5_error_code decode_krb5_safe
1547 (const krb5_data *output, krb5_safe **rep);
1549 krb5_error_code decode_krb5_safe_with_body
1550 (const krb5_data *output, krb5_safe **rep, krb5_data *body);
1552 krb5_error_code decode_krb5_priv
1553 (const krb5_data *output, krb5_priv **rep);
1555 krb5_error_code decode_krb5_enc_priv_part
1556 (const krb5_data *output, krb5_priv_enc_part **rep);
1558 krb5_error_code decode_krb5_cred
1559 (const krb5_data *output, krb5_cred **rep);
1561 krb5_error_code decode_krb5_enc_cred_part
1562 (const krb5_data *output, krb5_cred_enc_part **rep);
1564 krb5_error_code decode_krb5_error
1565 (const krb5_data *output, krb5_error **rep);
1567 krb5_error_code decode_krb5_authdata
1568 (const krb5_data *output, krb5_authdata ***rep);
1570 krb5_error_code decode_krb5_pwd_sequence
1571 (const krb5_data *output, passwd_phrase_element **rep);
1573 krb5_error_code decode_krb5_pwd_data
1574 (const krb5_data *output, krb5_pwd_data **rep);
1576 krb5_error_code decode_krb5_padata_sequence
1577 (const krb5_data *output, krb5_pa_data ***rep);
1579 krb5_error_code decode_krb5_alt_method
1580 (const krb5_data *output, krb5_alt_method **rep);
1582 krb5_error_code decode_krb5_etype_info
1583 (const krb5_data *output, krb5_etype_info_entry ***rep);
1585 krb5_error_code decode_krb5_etype_info2
1586 (const krb5_data *output, krb5_etype_info_entry ***rep);
1588 krb5_error_code decode_krb5_enc_data
1589 (const krb5_data *output, krb5_enc_data **rep);
1591 krb5_error_code decode_krb5_pa_enc_ts
1592 (const krb5_data *output, krb5_pa_enc_ts **rep);
1594 krb5_error_code decode_krb5_sam_key
1595 (const krb5_data *, krb5_sam_key **);
1597 struct _krb5_key_data; /* kdb.h */
1599 struct ldap_seqof_key_data {
1600 krb5_int32 mkvno; /* Master key version number */
1601 struct _krb5_key_data *key_data;
1602 krb5_int16 n_key_data;
1604 typedef struct ldap_seqof_key_data ldap_seqof_key_data;
1607 krb5int_ldap_encode_sequence_of_keys (ldap_seqof_key_data *val,
1611 krb5int_ldap_decode_sequence_of_keys (krb5_data *in,
1612 ldap_seqof_key_data **rep);
1614 /*************************************************************************
1615 * End of prototypes for krb5_decode.c
1616 *************************************************************************/
1618 #endif /* KRB5_ASN1__ */
1625 * Internal krb5 library routines
1627 krb5_error_code krb5_encrypt_tkt_part
1629 const krb5_keyblock *,
1633 krb5_error_code krb5_encode_kdc_rep
1636 const krb5_enc_kdc_rep_part *,
1638 const krb5_keyblock *,
1642 krb5_boolean krb5int_auth_con_chkseqnum
1643 (krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
1645 * [De]Serialization Handle and operations.
1647 struct __krb5_serializer {
1649 krb5_error_code (*sizer) (krb5_context,
1652 krb5_error_code (*externalizer) (krb5_context,
1656 krb5_error_code (*internalizer) (krb5_context,
1661 typedef const struct __krb5_serializer * krb5_ser_handle;
1662 typedef struct __krb5_serializer krb5_ser_entry;
1664 krb5_ser_handle krb5_find_serializer
1667 krb5_error_code krb5_register_serializer
1669 const krb5_ser_entry *);
1671 /* Determine the external size of a particular opaque structure */
1672 krb5_error_code KRB5_CALLCONV krb5_size_opaque
1678 /* Serialize the structure into a buffer */
1679 krb5_error_code KRB5_CALLCONV krb5_externalize_opaque
1686 /* Deserialize the structure from a buffer */
1687 krb5_error_code KRB5_CALLCONV krb5_internalize_opaque
1694 /* Serialize data into a buffer */
1695 krb5_error_code krb5_externalize_data
1701 * Initialization routines.
1704 /* Initialize serialization for krb5_[os_]context */
1705 krb5_error_code KRB5_CALLCONV krb5_ser_context_init
1708 /* Initialize serialization for krb5_auth_context */
1709 krb5_error_code KRB5_CALLCONV krb5_ser_auth_context_init
1712 /* Initialize serialization for krb5_keytab */
1713 krb5_error_code KRB5_CALLCONV krb5_ser_keytab_init
1716 /* Initialize serialization for krb5_ccache */
1717 krb5_error_code KRB5_CALLCONV krb5_ser_ccache_init
1720 /* Initialize serialization for krb5_rcache */
1721 krb5_error_code KRB5_CALLCONV krb5_ser_rcache_init
1724 /* [De]serialize 4-byte integer */
1725 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int32
1729 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
1733 /* [De]serialize 8-byte integer */
1734 krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
1735 (krb5_int64, krb5_octet **, size_t *);
1736 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
1737 (krb5_int64 *, krb5_octet **, size_t *);
1738 /* [De]serialize byte string */
1739 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
1744 krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
1750 krb5_error_code KRB5_CALLCONV krb5int_cc_default
1751 (krb5_context, krb5_ccache *);
1753 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
1754 (krb5_context, krb5_ccache, krb5_flags,
1755 krb5_creds *, krb5_creds *);
1757 krb5_boolean KRB5_CALLCONV
1758 krb5_creds_compare (krb5_context in_context,
1759 krb5_creds *in_creds,
1760 krb5_creds *in_compare_creds);
1762 void krb5int_set_prompt_types
1763 (krb5_context, krb5_prompt_type *);
1766 krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
1767 krb5_keyblock * /* Old keyblock, not new! */);
1769 /* set and change password helpers */
1771 krb5_error_code krb5int_mk_chpw_req
1772 (krb5_context context, krb5_auth_context auth_context,
1773 krb5_data *ap_req, char *passwd, krb5_data *packet);
1774 krb5_error_code krb5int_rd_chpw_rep
1775 (krb5_context context, krb5_auth_context auth_context,
1776 krb5_data *packet, int *result_code,
1777 krb5_data *result_data);
1778 krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
1779 (krb5_context context, int result_code,
1780 char **result_codestr);
1781 krb5_error_code krb5int_mk_setpw_req
1782 (krb5_context context, krb5_auth_context auth_context,
1783 krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
1784 krb5_error_code krb5int_rd_setpw_rep
1785 (krb5_context context, krb5_auth_context auth_context,
1786 krb5_data *packet, int *result_code,
1787 krb5_data *result_data);
1788 krb5_error_code krb5int_setpw_result_code_string
1789 (krb5_context context, int result_code,
1790 const char **result_codestr);
1792 struct srv_dns_entry {
1793 struct srv_dns_entry *next;
1796 unsigned short port;
1799 #ifdef KRB5_DNS_LOOKUP
1801 krb5int_make_srv_query_realm(const krb5_data *realm,
1802 const char *service,
1803 const char *protocol,
1804 struct srv_dns_entry **answers);
1805 void krb5int_free_srv_dns_data(struct srv_dns_entry *);
1808 /* value to use when requesting a keytab entry and KVNO doesn't matter */
1809 #define IGNORE_VNO 0
1810 /* value to use when requesting a keytab entry and enctype doesn't matter */
1811 #define IGNORE_ENCTYPE 0
1814 * Convenience function for structure magic number
1816 #define KRB5_VERIFY_MAGIC(structure,magic_number) \
1817 if ((structure)->magic != (magic_number)) return (magic_number);
1819 /* to keep lint happy */
1820 #define krb5_xfree(val) free((char *)(val))
1822 /* To keep happy libraries which are (for now) accessing internal stuff */
1824 /* Make sure to increment by one when changing the struct */
1825 #define KRB5INT_ACCESS_STRUCT_VERSION 12
1828 struct ktext; /* from krb.h, for krb524 support */
1830 typedef struct _krb5int_access {
1832 const struct krb5_hash_provider *md5_hash_provider;
1833 const struct krb5_enc_provider *arcfour_enc_provider;
1834 krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
1835 const krb5_keyblock *key,
1836 unsigned int icount, const krb5_data *input,
1838 /* service location and communication */
1839 krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
1840 const struct addrlist *, struct sendto_callback_info*, krb5_data *reply,
1841 struct sockaddr *, socklen_t *,struct sockaddr *,
1843 int (*msg_handler)(krb5_context, const krb5_data *, void *),
1844 void *msg_handler_data);
1845 krb5_error_code (*add_host_to_list)(struct addrlist *lp,
1846 const char *hostname,
1847 int port, int secport,
1848 int socktype, int family);
1849 void (*free_addrlist) (struct addrlist *);
1851 krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
1852 const char *service,
1853 const char *protocol,
1854 struct srv_dns_entry **answers);
1855 void (*free_srv_dns_data)(struct srv_dns_entry *);
1856 int (*use_dns_kdc)(krb5_context);
1858 /* krb4 compatibility stuff -- may be null if not enabled */
1859 krb5_int32 (*krb_life_to_time)(krb5_int32, int);
1860 int (*krb_time_to_life)(krb5_int32, krb5_int32);
1861 int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
1862 krb5_error_code (*krb5int_c_mandatory_cksumtype)
1863 (krb5_context, krb5_enctype, krb5_cksumtype *);
1864 krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
1865 (krb5_int64, krb5_octet **, size_t *);
1866 krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
1867 (krb5_int64 *, krb5_octet **, size_t *);
1869 /* Used for KDB LDAP back end. */
1871 (*asn1_ldap_encode_sequence_of_keys) (ldap_seqof_key_data *val,
1875 (*asn1_ldap_decode_sequence_of_keys) (krb5_data *in,
1876 ldap_seqof_key_data **);
1879 * pkinit asn.1 encode/decode functions
1881 krb5_error_code (*encode_krb5_auth_pack)
1882 (const krb5_auth_pack *rep, krb5_data **code);
1883 krb5_error_code (*encode_krb5_auth_pack_draft9)
1884 (const krb5_auth_pack_draft9 *rep, krb5_data **code);
1885 krb5_error_code (*encode_krb5_kdc_dh_key_info)
1886 (const krb5_kdc_dh_key_info *rep, krb5_data **code);
1887 krb5_error_code (*encode_krb5_pa_pk_as_rep)
1888 (const krb5_pa_pk_as_rep *rep, krb5_data **code);
1889 krb5_error_code (*encode_krb5_pa_pk_as_rep_draft9)
1890 (const krb5_pa_pk_as_rep_draft9 *rep, krb5_data **code);
1891 krb5_error_code (*encode_krb5_pa_pk_as_req)
1892 (const krb5_pa_pk_as_req *rep, krb5_data **code);
1893 krb5_error_code (*encode_krb5_pa_pk_as_req_draft9)
1894 (const krb5_pa_pk_as_req_draft9 *rep, krb5_data **code);
1895 krb5_error_code (*encode_krb5_reply_key_pack)
1896 (const krb5_reply_key_pack *, krb5_data **code);
1897 krb5_error_code (*encode_krb5_reply_key_pack_draft9)
1898 (const krb5_reply_key_pack_draft9 *, krb5_data **code);
1899 krb5_error_code (*encode_krb5_td_dh_parameters)
1900 (const krb5_algorithm_identifier **, krb5_data **code);
1901 krb5_error_code (*encode_krb5_td_trusted_certifiers)
1902 (const krb5_external_principal_identifier **, krb5_data **code);
1903 krb5_error_code (*encode_krb5_typed_data)
1904 (const krb5_typed_data **, krb5_data **code);
1906 krb5_error_code (*decode_krb5_auth_pack)
1907 (const krb5_data *, krb5_auth_pack **);
1908 krb5_error_code (*decode_krb5_auth_pack_draft9)
1909 (const krb5_data *, krb5_auth_pack_draft9 **);
1910 krb5_error_code (*decode_krb5_pa_pk_as_req)
1911 (const krb5_data *, krb5_pa_pk_as_req **);
1912 krb5_error_code (*decode_krb5_pa_pk_as_req_draft9)
1913 (const krb5_data *, krb5_pa_pk_as_req_draft9 **);
1914 krb5_error_code (*decode_krb5_pa_pk_as_rep)
1915 (const krb5_data *, krb5_pa_pk_as_rep **);
1916 krb5_error_code (*decode_krb5_pa_pk_as_rep_draft9)
1917 (const krb5_data *, krb5_pa_pk_as_rep_draft9 **);
1918 krb5_error_code (*decode_krb5_kdc_dh_key_info)
1919 (const krb5_data *, krb5_kdc_dh_key_info **);
1920 krb5_error_code (*decode_krb5_principal_name)
1921 (const krb5_data *, krb5_principal_data **);
1922 krb5_error_code (*decode_krb5_reply_key_pack)
1923 (const krb5_data *, krb5_reply_key_pack **);
1924 krb5_error_code (*decode_krb5_reply_key_pack_draft9)
1925 (const krb5_data *, krb5_reply_key_pack_draft9 **);
1926 krb5_error_code (*decode_krb5_td_dh_parameters)
1927 (const krb5_data *, krb5_algorithm_identifier ***);
1928 krb5_error_code (*decode_krb5_td_trusted_certifiers)
1929 (const krb5_data *, krb5_external_principal_identifier ***);
1930 krb5_error_code (*decode_krb5_typed_data)
1931 (const krb5_data *, krb5_typed_data ***);
1933 krb5_error_code (*decode_krb5_as_req)
1934 (const krb5_data *output, krb5_kdc_req **rep);
1935 krb5_error_code (*encode_krb5_kdc_req_body)
1936 (const krb5_kdc_req *rep, krb5_data **code);
1937 void (KRB5_CALLCONV *krb5_free_kdc_req)
1938 (krb5_context, krb5_kdc_req * );
1939 void (*krb5int_set_prompt_types)
1940 (krb5_context, krb5_prompt_type *);
1941 krb5_error_code (*encode_krb5_authdata_elt)
1942 (const krb5_authdata *rep, krb5_data **code);
1946 #define KRB5INT_ACCESS_VERSION \
1947 (((krb5_int32)((sizeof(krb5int_access) & 0xFFFF) | \
1948 (KRB5INT_ACCESS_STRUCT_VERSION << 16))) & 0xFFFFFFFF)
1950 krb5_error_code KRB5_CALLCONV krb5int_accessor
1951 (krb5int_access*, krb5_int32);
1953 /* Ick -- some krb524 and krb4 support placed in the krb5 library,
1954 because AFS (and potentially other applications?) use the krb4
1955 object as an opaque token, which (in some implementations) is not
1956 in fact a krb4 ticket, so we don't want to drag in the krb4 support
1957 just to enable this. */
1959 #define KRB524_SERVICE "krb524"
1960 #define KRB524_PORT 4444
1963 extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
1964 extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
1967 int krb5int_encode_v4tkt
1968 (struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
1971 int krb5int_524_sendto_kdc
1972 (krb5_context context, const krb5_data * message,
1973 const krb5_data * realm, krb5_data * reply,
1974 struct sockaddr *, socklen_t *);
1976 /* temporary -- this should be under lib/krb5/ccache somewhere */
1978 struct _krb5_ccache {
1980 const struct _krb5_cc_ops *ops;
1985 * Per-type ccache cursor.
1987 struct krb5_cc_ptcursor {
1988 const struct _krb5_cc_ops *ops;
1991 typedef struct krb5_cc_ptcursor *krb5_cc_ptcursor;
1993 struct _krb5_cc_ops {
1996 const char * (KRB5_CALLCONV *get_name) (krb5_context, krb5_ccache);
1997 krb5_error_code (KRB5_CALLCONV *resolve) (krb5_context, krb5_ccache *,
1999 krb5_error_code (KRB5_CALLCONV *gen_new) (krb5_context, krb5_ccache *);
2000 krb5_error_code (KRB5_CALLCONV *init) (krb5_context, krb5_ccache,
2002 krb5_error_code (KRB5_CALLCONV *destroy) (krb5_context, krb5_ccache);
2003 krb5_error_code (KRB5_CALLCONV *close) (krb5_context, krb5_ccache);
2004 krb5_error_code (KRB5_CALLCONV *store) (krb5_context, krb5_ccache,
2006 krb5_error_code (KRB5_CALLCONV *retrieve) (krb5_context, krb5_ccache,
2007 krb5_flags, krb5_creds *,
2009 krb5_error_code (KRB5_CALLCONV *get_princ) (krb5_context, krb5_ccache,
2011 krb5_error_code (KRB5_CALLCONV *get_first) (krb5_context, krb5_ccache,
2013 krb5_error_code (KRB5_CALLCONV *get_next) (krb5_context, krb5_ccache,
2014 krb5_cc_cursor *, krb5_creds *);
2015 krb5_error_code (KRB5_CALLCONV *end_get) (krb5_context, krb5_ccache,
2017 krb5_error_code (KRB5_CALLCONV *remove_cred) (krb5_context, krb5_ccache,
2018 krb5_flags, krb5_creds *);
2019 krb5_error_code (KRB5_CALLCONV *set_flags) (krb5_context, krb5_ccache,
2021 krb5_error_code (KRB5_CALLCONV *get_flags) (krb5_context, krb5_ccache,
2023 krb5_error_code (KRB5_CALLCONV *ptcursor_new)(krb5_context,
2024 krb5_cc_ptcursor *);
2025 krb5_error_code (KRB5_CALLCONV *ptcursor_next)(krb5_context,
2028 krb5_error_code (KRB5_CALLCONV *ptcursor_free)(krb5_context,
2029 krb5_cc_ptcursor *);
2030 krb5_error_code (KRB5_CALLCONV *move)(krb5_context, krb5_ccache,
2032 krb5_error_code (KRB5_CALLCONV *lastchange)(krb5_context,
2033 krb5_ccache, krb5_timestamp *);
2034 krb5_error_code (KRB5_CALLCONV *wasdefault)(krb5_context, krb5_ccache,
2036 krb5_error_code (KRB5_CALLCONV *lock)(krb5_context, krb5_ccache);
2037 krb5_error_code (KRB5_CALLCONV *unlock)(krb5_context, krb5_ccache);
2040 extern const krb5_cc_ops *krb5_cc_dfl_ops;
2043 krb5int_cc_os_default_name(krb5_context context, char **name);
2045 /* reentrant mutex used by krb5_cc_* functions */
2046 typedef struct _k5_cc_mutex {
2049 krb5_int32 refcount;
2052 #define K5_CC_MUTEX_PARTIAL_INITIALIZER \
2053 { K5_MUTEX_PARTIAL_INITIALIZER, NULL, 0 }
2056 k5_cc_mutex_init(k5_cc_mutex *m);
2059 k5_cc_mutex_finish_init(k5_cc_mutex *m);
2061 #define k5_cc_mutex_destroy(M) \
2062 k5_mutex_destroy(&(M)->lock);
2065 k5_cc_mutex_assert_locked(krb5_context context, k5_cc_mutex *m);
2068 k5_cc_mutex_assert_unlocked(krb5_context context, k5_cc_mutex *m);
2071 k5_cc_mutex_lock(krb5_context context, k5_cc_mutex *m);
2074 k5_cc_mutex_unlock(krb5_context context, k5_cc_mutex *m);
2076 typedef struct _krb5_donot_replay {
2079 char *server; /* null-terminated */
2080 char *client; /* null-terminated */
2082 krb5_timestamp ctime;
2083 } krb5_donot_replay;
2085 krb5_error_code krb5_rc_default
2088 krb5_error_code krb5_rc_resolve_type
2090 krb5_rcache *,char *);
2091 krb5_error_code krb5_rc_resolve_full
2093 krb5_rcache *,char *);
2094 char * krb5_rc_get_type
2097 char * krb5_rc_default_type
2099 char * krb5_rc_default_name
2101 krb5_error_code krb5_auth_to_rep
2104 krb5_donot_replay *);
2107 krb5_error_code KRB5_CALLCONV krb5_rc_initialize
2108 (krb5_context, krb5_rcache,krb5_deltat);
2109 krb5_error_code KRB5_CALLCONV krb5_rc_recover_or_initialize
2110 (krb5_context, krb5_rcache,krb5_deltat);
2111 krb5_error_code KRB5_CALLCONV krb5_rc_recover
2112 (krb5_context, krb5_rcache);
2113 krb5_error_code KRB5_CALLCONV krb5_rc_destroy
2114 (krb5_context, krb5_rcache);
2115 krb5_error_code KRB5_CALLCONV krb5_rc_close
2116 (krb5_context, krb5_rcache);
2117 krb5_error_code KRB5_CALLCONV krb5_rc_store
2118 (krb5_context, krb5_rcache,krb5_donot_replay *);
2119 krb5_error_code KRB5_CALLCONV krb5_rc_expunge
2120 (krb5_context, krb5_rcache);
2121 krb5_error_code KRB5_CALLCONV krb5_rc_get_lifespan
2122 (krb5_context, krb5_rcache,krb5_deltat *);
2123 char *KRB5_CALLCONV krb5_rc_get_name
2124 (krb5_context, krb5_rcache);
2125 krb5_error_code KRB5_CALLCONV krb5_rc_resolve
2126 (krb5_context, krb5_rcache, char *);
2128 typedef struct _krb5_kt_ops {
2131 /* routines always present */
2132 krb5_error_code (KRB5_CALLCONV *resolve)
2136 krb5_error_code (KRB5_CALLCONV *get_name)
2141 krb5_error_code (KRB5_CALLCONV *close)
2144 krb5_error_code (KRB5_CALLCONV *get)
2147 krb5_const_principal,
2150 krb5_keytab_entry *);
2151 krb5_error_code (KRB5_CALLCONV *start_seq_get)
2155 krb5_error_code (KRB5_CALLCONV *get_next)
2158 krb5_keytab_entry *,
2160 krb5_error_code (KRB5_CALLCONV *end_get)
2164 /* routines to be included on extended version (write routines) */
2165 krb5_error_code (KRB5_CALLCONV *add)
2168 krb5_keytab_entry *);
2169 krb5_error_code (KRB5_CALLCONV *remove)
2172 krb5_keytab_entry *);
2174 /* Handle for serializer */
2175 const krb5_ser_entry *serializer;
2178 extern const krb5_kt_ops krb5_kt_dfl_ops;
2180 extern krb5_error_code krb5int_translate_gai_error (int);
2182 /* Not sure it's ready for exposure just yet. */
2183 extern krb5_error_code
2184 krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
2186 extern int krb5int_crypto_init (void);
2187 extern int krb5int_prng_init(void);
2189 #define krb5_copy_error_state(CTX, OCTX) \
2190 krb5int_set_error(&(CTX)->errinfo, (OCTX)->errinfo.code, "%s", (OCTX)->errinfo.msg)
2193 * Referral definitions, debugging hooks, and subfunctions.
2195 #define KRB5_REFERRAL_MAXHOPS 5
2196 /* #define DEBUG_REFERRALS */
2198 #ifdef DEBUG_REFERRALS
2199 void krb5int_dbgref_dump_principal(char *, krb5_principal);
2202 /* Common hostname-parsing code. */
2203 krb5_error_code KRB5_CALLCONV krb5int_clean_hostname
2209 /* Use the above four instead. */
2210 krb5_boolean KRB5_CALLCONV valid_enctype
2211 (krb5_enctype ktype);
2212 krb5_boolean KRB5_CALLCONV valid_cksumtype
2213 (krb5_cksumtype ctype);
2214 krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
2215 (krb5_cksumtype ctype);
2216 krb5_boolean KRB5_CALLCONV is_keyed_cksum
2217 (krb5_cksumtype ctype);
2219 krb5_error_code KRB5_CALLCONV krb5_random_confounder
2220 (size_t, krb5_pointer);
2222 krb5_error_code krb5_encrypt_data
2223 (krb5_context context, krb5_keyblock *key,
2224 krb5_pointer ivec, krb5_data *data,
2225 krb5_enc_data *enc_data);
2227 krb5_error_code krb5_decrypt_data
2228 (krb5_context context, krb5_keyblock *key,
2229 krb5_pointer ivec, krb5_enc_data *data,
2230 krb5_data *enc_data);
2233 krb5int_aes_encrypt(const krb5_keyblock *key, const krb5_data *ivec,
2234 const krb5_data *input, krb5_data *output);
2236 krb5int_aes_decrypt(const krb5_keyblock *key, const krb5_data *ivec,
2237 const krb5_data *input, krb5_data *output);
2239 struct _krb5_kt_ops;
2240 struct _krb5_kt { /* should move into k5-int.h */
2242 const struct _krb5_kt_ops *ops;
2246 krb5_error_code krb5_set_default_in_tkt_ktypes
2248 const krb5_enctype *);
2249 krb5_error_code krb5_get_default_in_tkt_ktypes
2253 krb5_error_code krb5_set_default_tgs_ktypes
2255 const krb5_enctype *);
2257 krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes
2259 krb5_const_principal,
2262 void KRB5_CALLCONV krb5_free_ktypes
2263 (krb5_context, krb5_enctype *);
2265 krb5_boolean krb5_is_permitted_enctype
2266 (krb5_context, krb5_enctype);
2268 krb5_error_code krb5_kdc_rep_decrypt_proc
2270 const krb5_keyblock *,
2273 krb5_error_code KRB5_CALLCONV krb5_decrypt_tkt_part
2275 const krb5_keyblock *,
2277 krb5_error_code krb5_get_cred_from_kdc
2279 krb5_ccache, /* not const, as reading may save
2284 krb5_error_code krb5_get_cred_from_kdc_validate
2286 krb5_ccache, /* not const, as reading may save
2291 krb5_error_code krb5_get_cred_from_kdc_renew
2293 krb5_ccache, /* not const, as reading may save
2299 krb5_error_code krb5_get_cred_via_tkt
2303 krb5_address * const *,
2307 krb5_error_code KRB5_CALLCONV krb5_copy_addr
2309 const krb5_address *,
2316 krb5_error_code krb5_generate_subkey
2318 const krb5_keyblock *, krb5_keyblock **);
2319 krb5_error_code krb5_generate_seq_number
2321 const krb5_keyblock *, krb5_ui_4 *);
2323 krb5_error_code KRB5_CALLCONV krb5_kt_register
2325 const struct _krb5_kt_ops * );
2327 /* use krb5_free_keytab_entry_contents instead */
2328 krb5_error_code KRB5_CALLCONV krb5_kt_free_entry
2330 krb5_keytab_entry * );
2332 krb5_error_code krb5_principal2salt_norealm
2334 krb5_const_principal, krb5_data *);
2336 unsigned int KRB5_CALLCONV krb5_get_notification_message
2340 krb5_error_code krb5_check_transited_list
2341 (krb5_context, const krb5_data *trans,
2342 const krb5_data *realm1, const krb5_data *realm2);
2345 void krb5_free_realm_tree
2349 void KRB5_CALLCONV krb5_free_authenticator_contents
2350 (krb5_context, krb5_authenticator * );
2352 void KRB5_CALLCONV krb5_free_address
2353 (krb5_context, krb5_address * );
2355 void KRB5_CALLCONV krb5_free_enc_tkt_part
2356 (krb5_context, krb5_enc_tkt_part * );
2358 void KRB5_CALLCONV krb5_free_tickets
2359 (krb5_context, krb5_ticket ** );
2360 void KRB5_CALLCONV krb5_free_kdc_req
2361 (krb5_context, krb5_kdc_req * );
2362 void KRB5_CALLCONV krb5_free_kdc_rep
2363 (krb5_context, krb5_kdc_rep * );
2364 void KRB5_CALLCONV krb5_free_last_req
2365 (krb5_context, krb5_last_req_entry ** );
2366 void KRB5_CALLCONV krb5_free_enc_kdc_rep_part
2367 (krb5_context, krb5_enc_kdc_rep_part * );
2368 void KRB5_CALLCONV krb5_free_ap_req
2369 (krb5_context, krb5_ap_req * );
2370 void KRB5_CALLCONV krb5_free_ap_rep
2371 (krb5_context, krb5_ap_rep * );
2372 void KRB5_CALLCONV krb5_free_cred
2373 (krb5_context, krb5_cred *);
2374 void KRB5_CALLCONV krb5_free_cred_enc_part
2375 (krb5_context, krb5_cred_enc_part *);
2376 void KRB5_CALLCONV krb5_free_pa_data
2377 (krb5_context, krb5_pa_data **);
2378 void KRB5_CALLCONV krb5_free_tkt_authent
2379 (krb5_context, krb5_tkt_authent *);
2380 void KRB5_CALLCONV krb5_free_pwd_data
2381 (krb5_context, krb5_pwd_data *);
2382 void KRB5_CALLCONV krb5_free_pwd_sequences
2383 (krb5_context, passwd_phrase_element **);
2384 krb5_error_code krb5_set_config_files
2385 (krb5_context, const char **);
2387 krb5_error_code KRB5_CALLCONV krb5_get_default_config_files
2388 (char ***filenames);
2390 void KRB5_CALLCONV krb5_free_config_files
2392 krb5_error_code krb5_send_tgs
2395 const krb5_ticket_times *,
2396 const krb5_enctype *,
2397 krb5_const_principal,
2398 krb5_address * const *,
2399 krb5_authdata * const *,
2400 krb5_pa_data * const *,
2404 krb5_error_code krb5_decode_kdc_rep
2407 const krb5_keyblock *,
2410 krb5_error_code krb5_rd_req_decoded
2412 krb5_auth_context *,
2413 const krb5_ap_req *,
2414 krb5_const_principal,
2419 krb5_error_code krb5_rd_req_decoded_anyflag
2421 krb5_auth_context *,
2422 const krb5_ap_req *,
2423 krb5_const_principal,
2427 krb5_error_code KRB5_CALLCONV krb5_cc_register
2429 const krb5_cc_ops *,
2431 krb5_error_code krb5_walk_realm_tree
2437 krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype
2442 krb5_error_code krb5_auth_con_set_safe_cksumtype
2446 krb5_error_code krb5_auth_con_setivector
2451 krb5_error_code krb5_auth_con_getivector
2456 krb5_error_code krb5_auth_con_setpermetypes
2459 const krb5_enctype *);
2461 krb5_error_code krb5_auth_con_getpermetypes
2466 krb5_error_code KRB5_CALLCONV
2467 krb5int_server_decrypt_ticket_keyblock
2468 (krb5_context context,
2469 const krb5_keyblock *key,
2470 krb5_ticket *ticket);
2472 krb5_error_code krb5_read_message (krb5_context, krb5_pointer, krb5_data *);
2473 krb5_error_code krb5_write_message (krb5_context, krb5_pointer, krb5_data *);
2474 int krb5_net_read (krb5_context, int , char *, int);
2475 int krb5_net_write (krb5_context, int , const char *, int);
2477 krb5_error_code KRB5_CALLCONV krb5_get_realm_domain
2482 krb5_error_code krb5_gen_portaddr
2484 const krb5_address *,
2487 krb5_error_code krb5_gen_replay_name
2489 const krb5_address *,
2492 krb5_error_code krb5_make_fulladdr
2498 krb5_error_code krb5_set_debugging_time
2499 (krb5_context, krb5_timestamp, krb5_int32);
2500 krb5_error_code krb5_use_natural_time
2502 krb5_error_code krb5_set_time_offsets
2503 (krb5_context, krb5_timestamp, krb5_int32);
2504 krb5_error_code krb5int_check_clockskew(krb5_context, krb5_timestamp);
2506 * The realm iterator functions
2509 krb5_error_code KRB5_CALLCONV krb5_realm_iterator_create
2510 (krb5_context context, void **iter_p);
2512 krb5_error_code KRB5_CALLCONV krb5_realm_iterator
2513 (krb5_context context, void **iter_p, char **ret_realm);
2515 void KRB5_CALLCONV krb5_realm_iterator_free
2516 (krb5_context context, void **iter_p);
2518 void KRB5_CALLCONV krb5_free_realm_string
2519 (krb5_context context, char *str);
2521 /* Internal principal function used by KIM to avoid code duplication */
2522 krb5_error_code KRB5_CALLCONV
2523 krb5int_build_principal_alloc_va(krb5_context context,
2524 krb5_principal *princ,
2530 /* Some data comparison and conversion functions. */
2532 static inline int data_cmp(krb5_data d1, krb5_data d2)
2534 if (d1.length < d2.length) return -1;
2535 if (d1.length > d2.length) return 1;
2536 return memcmp(d1.data, d2.data, d1.length);
2538 static inline int data_eq (krb5_data d1, krb5_data d2)
2540 return data_cmp(d1, d2) == 0;
2543 static inline int data_eq (krb5_data d1, krb5_data d2)
2545 return (d1.length == d2.length
2546 && !memcmp(d1.data, d2.data, d1.length));
2549 static inline krb5_data string2data (char *str)
2552 d.magic = KV5M_DATA;
2553 d.length = strlen(str);
2557 static inline int data_eq_string (krb5_data d, char *s)
2559 return data_eq(d, string2data(s));
2561 static inline int authdata_eq (krb5_authdata a1, krb5_authdata a2)
2563 return (a1.ad_type == a2.ad_type
2564 && a1.length == a2.length
2565 && !memcmp(a1.contents, a2.contents, a1.length));
2567 #endif /* _KRB5_INT_H */